Friday, March 29, 2013

In order to prevent thefts of babies from hospitals, the Maharashtra government has asked state-run medical centres to ensure biometric identification of infants within two hours of birth.

As far as I know, it's easier to apply biometric identity management techniques to the adults who have a right remove a baby from a hospital than it is to biometrically account for the identity of each infant. Face recognition doesn't work very well on infants and newborns aren't going to be able to help with the more participatory biometric modalities like iris and finger even if the algorithms are applicable to infant morphology (and I'm not sure that they are).

Footprints have been collected from newborns for a long time, but even though human experts can match properly executed paper and ink footprints, I'm not aware of any matching algorithms for the foot to automate that process.

So that leaves biometrics for the adults that are allowed in the maternity ward including parents/soon-to-be parents and a special category for individuals that are allowed to remove a newborn from hospital property: new parents exclusively.

Granted, that won't prevent baby mix-ups, but it can go a long way to making baby theft much more difficult.

In a more passive approach, SecurLinx has experience providing facial recognition capabilities to monitor a watch list of individuals restrained from approaching a maternity wing.

If anyone out there has any information on biometric algorithms intended for use on newborns, please send it along.

What:
Tweet chat on the use of biometric identification for border control, ePassports, visa applications, and voter registration with @CyrilleBataller of @Accenture. Mr. Bataller appears in the video Biometrics and Privacy: A Positive Match available at the Accenture sitehere. I'd embed it if I could.

Prominent among the contactless biometric identification technologies, Iris biometrics identifies an individual by analyzing random colored patterns within human irises, which are unique to each individual and do not easily alter over lifetime. Relatively young in the biometric identification market with commercial availability only since 1995, iris biometrics, thanks to its swift results, low failure to error rates and high accuracy levels, is however fast proving to be a preferred choice of biometric identification in a range of applications.

Growth in the iris biometrics market until now has been largely driven by increased adoption of the technology in travel and immigration segment and physical access control applications.

The summary of the report is very optimistic about the future of iris biometrics.

Roughly one-third of the surveyed companies from the financial sector do not measure return-on-investment (ROI) on their physical security investments. Security of data, assets, clients, and employees is top priority; thus, ROI measurement is sometimes not a neccessity. In cases for which ROI is measured, it is typically done via indirect measures (e.g., general increase of safety), and generally managers do not employ quantitative indices.

The repeated refusal of GPs, social housing officers and social security staff to act as immigration officers also means that if more robust residence tests are to be introduced for other EU nationals then an easy and authoritative way is needed of checking how long they have been in the country and what their immigration status is.

Ministers have confirmed that they are looking at plans to take fingerprints and other biometric data to be stored on a card with a photograph and electronic signature from new arrivals from next year.

It is within this context that the beleaguered UK Border Agency is being broken up(BBC). The UKBA is currently responsible for border protection, visa & passport issuance, asylum cases, immigration law enforcement, etc.

Tuesday, March 26, 2013

Not all AFIS are alike, however. State and local agencies often maintain their own databases, and although there can be some interoperability in a vertical hierarchy of local, state and federal databases, there is very little interoperability horizontally between neighboring jurisdictions. To search different databases, examiners must mark distinctive features for fingerprints manually for different systems, using different coding, notation methods and data definitions.

One YC-backed startup is betting that fingerprints and other forms of biometric identification may be the payment method of the future though. Called PayTango, they’re partnering with local universities to offer a quick and easy way for students to use their fingerprints to pay instead of credit cards.

The four-person team is basically almost fresh out of Carnegie Mellon University. The co-founders, Brian Groudan, Kelly Lau-Kee, Umang Patel and Christian Reyes, graduating later this summer and have experience in human-computer interaction and information systems.

Read the whole thing. The comments section is unusually lively, though severed-digit-phobia (or is it simple glibness?) seems endemic there. Really, folks. It's a point of sale terminal. I'm pretty sure severed fingers would attract some attention at a cash register, perhaps even more than a stolen credit card.

If you wade those comments there are some enlightened ones there, too.

Certified by the Department of Homeland Security as Qualified Anti-Terrorism Technology, CLEAR transforms the travel experience by allowing members to use their biometrics (fingerprint or iris) to speed through security at major US airports.

“We estimate that CLEAR members have saved over 30 million minutes that would have been spent waiting in line at airport security,” said Allison Romano, Director of Member Services. “The predictability of CLEAR is crucial for our members. Since 42% of members travel at least once per month, 15% travel once per week, and 50% travel during peak hours, CLEAR has a significant impact on their travel experience. That means more time living and less time waiting.”

Monday, March 25, 2013

Before you leave another cast member will show you how to use the new pass and will make sure that your biometric data is in the system. The next time you head to a park a cast member will direct you where you should go. You will then hold your ticket to the scanner and place your finger on the pad. When the light turns green, you're in.

It's my impression that Disney does this mostly for the purposes of making sure that discounted longer-term passes aren't shared among different individuals. It's not hard, however, envisioning that this might point the way toward future security applications.

UPDATE:Biometric Update picks up the story and runs with it, quoting this post. Our thanks go to the piece's author, Adam Vrankulj, and Biometric Update.

Sometimes it seems as though headline writers don'e even bother to read the articles.

India removes 384K Aadhaar biometric IDs(ZDNet) — Properly speaking, they weren't biometric ID's because they were created under the "biometric exceptions" provision that allowed for enrollments to be created without an acceptable biometric identifier. That provision was exploited by unscrupulous registrars who created fake enrollments for which they were paid.

The "biometric exception" was created out of necessity to account for those with unreadable fingerprints or for those who lacked fingers or hands altogether, however three quarters of the IDs generated under the biometric exception clause have been found to be fraudulent.

It is also interesting to note that if UID lacked a provision for the collection of a biometric identifier, it is unlikely that the large scale fraud would have been detected at all.

Wednesday, March 20, 2013

The Foreign Ministry said yesterday it has signed contracts with specialized international companies to set up biometric centers for providing visa services to prospective visitors to the Kingdom, including pilgrims.

A lot of parents worry when their kids first start taking the school bus by themselves. What if they’re snatched from the bus stop? What if they get off at the wrong stop? What if the bus is hijacked? Well, while the Kidtrack system can’t keep any of those things from happening, it can at least keep track of which children are on which buses, and where.

Tuesday, March 19, 2013

Key to the accuracy of the system was the composition of photos according to strict positioning criteria.

Victoria Police senior sergeant Cameron Tullberg said the quality of suspect photographs had degraded over decades.

At a recent police technology conference in Melbourne, Sgt Tullberg showed fellow officers recent photographs of such low quality that identification of suspects was almost impossible. In one photo an entire face was cropped out.

He said the requirements had been "turned all the way up", forcing police officers to properly compose a photo before it would be accepted by the system.

We have often made the point that facial recognition systems are best used by skilled operators. Their operation is far more complex than, say, fingerprint systems. This story from Australia draws attention to the fact that sensitivity to facial recognition "best practices" on the front end (data-gathering phase) leads to better matching down the road.

Monday, March 18, 2013

The Home Office plans to spend up to £16m on facial recognition technology for the Identity and Passport Service.

A tender notice in the European Union's Official Journal (OJEU) popped up this week that showed that Theresa May's department was now on the hunt for providers of a Facial Recognition Engine and a Facial Recognition Workflow for the IPS.

The article then proceeds to a brief discussion of the pros and cons of the tender.
The pros follow the benefits of a facial database search before issuing new photo ID documents (click for a good example). In this case the ID documents are British passports. The cons presented in the article come in two flavors, price and performance.

The money issues are common to any governmental expenditure.

The performance issue in the article that I want to address is "false reject rate." The false reject rate of a facial recognition system in the case at hand should be taken apart and put into two categories. The first category is the performance of the core face-matching technology, the second category is the performance of the entire Home Office organization.

What constitutes a "false reject" in the core technological sense is any "match" made by the face recognition system between a submitted image and the images in the searchable database that turns out to be an incorrect/inaccurate match. In other words, "matches" that aren't real matches are false rejects.

But in this case, the Home Office is ultimately judged, by how many bad passports it issues (false accept), not by the perfection of one mechanism in a rigorous process by which the organization arrives at its go/no-go decision. After all, if my name is John Smith and I submit my passport application to the Home Office, they will probably search their databases for "John Smith." If they find several, does that constitute an automatic false reject? Does that mean I can't get a passport? Of course not. Someone will look at the list of John Smith's to see if I'm pretending to be someone else with the same name.

Here, facial recognition is used to add an image capability to go along with the search the Home Office already does with new passport applications. It is not an automated decision-making engine. Even though facial recognition systems at very large scales or in chaotic environments are very difficult to automate, they can be extremely useful investigative tools for trained users.

Humans are pretty good at matching faces with small data sets. The processes people use to identify other people with high confidence levels are extremely complex and may take into account all sorts of information that facial recognition software doesn't. People, however, aren't very good at identity management among large numbers of people they don't know.

In biometrics, the software takes in a mere fraction of the information people use. It doesn't make any inference about it, and it does its job extremely quickly by treating the problem in a way that closely resembles Nikola Tesla's famous critique of Thomas Edison: “If Edison had a needle to find in a haystack, he would proceed at once with the diligence of the bee to examine straw after straw until he found the object of his search.”

When dealing with people we don't know, humans are relegated to the needle-in-the-haystack process and unfortunately, they do it so slowly as to make it impractical with large data sets. Even if you believe that computers running facial recognition software aren't very good at recognizing people, they're way better at dealing with the problem of large populations than people are.

The assumption buried in the "false reject" critique for this face-rec application is that narrowing a list of 300,000 down to ten possible matches represents 9 failures. More accurately, because pre-face-rec no image-based comparison is being conducted at all, it represents 299,991 successes

When biometric software is used to sort a large population according to the probability of a match, then to present the list of top candidates to a person trained to detect fraudulent passport applications, the result is a fraud-detecting capability that did not exist before. So, even though facial recognition software by itself may have a "false reject" rate, it does not operate in a vacuum and will almost certainly help the organization as a whole reduce the inappropriate issuance of passports, i.e. its "false accept" rate

So we finally arrive where we should have been attempting to go all along — Return on Investment (ROI). ROI can be hard to calculate in security applications. It can also be hard to calculate for government expenditures, but ROI is where the rubber meets the road. The proposition does not turn on whether facial recognition can dictate to human beings whether or not to issue a passport. It can't, and even if it could, most people would probably be uncomfortable giving up their right to appeal to a person in a decision-making capacity. Facial recognition can certainly help people make better decisions, though, and biometrics and ID are ultimately all about people.

Wednesday, March 13, 2013

Earlier this school year, Carroll County Public Schools had biometric scanners in place in about 10 school cafeterias, where they were used to help expedite the process of paying for school meals. Officials said the scanners would be more efficient than processing cash transactions or using a PIN keypad system.

But officials fielded complaints from some parents who felt the scanners were an invasion of privacy.

If you think biometrics for school lunch payment are bad, you're not going to like this:

The U.S. Department of Education is investigating how public schools can collect information on "non-cognitive" student attributes, after granting itself the power to share student data across agencies without parents' knowledge.

The feds want to use schools to catalogue "attributes, dispositions, social skills, attitudes and intrapersonal resources – independent of intellectual ability," according to a February DOE report, all under the guise of education.

Read the whole thing.

Like we've said before, "If schools are unable to keep data secure, biometric template information is the last thing that should concern parents." "Secure" doesn't really apply in the situation described above but the observation that schools already possess very detailed information about students stands.

For the curious:
This is an actual biometric template created using one finger, an off-the-shelf fingerprint reader and their freely-circulated software development kit (SDK). It consists of 800 hexadecimal characters.

Something similar could be used instead of a PIN number for lunch purchases in Maryland schools unless the state bans the technology.

Now which is more risky to student privacy, those 800 characters which I've freely put online and made public, or other types of records schools routinely and uncontroversially* keep?

*Ms. Pullmann seems to find the potential sharing of information without parental knowledge and the chipping away of existing privacy protections that prevented sharing of non-academic information (including biometric information) more problematic than the fact that schools know a lot of non-cognitive details about students.

Senators working on a bipartisan immigration bill are likely abandoning the idea of requiring a new high-tech federal ID for workers because it's too expensive.

Republican Sen. Lindsey Graham of South Carolina says cost estimates for the biometric ID card he favors came in higher than expected. The card was intended as a way to ensure employers don't hire illegal workers.

A doctor was arrested red-handed on Sunday, March 10 for using silicone fingers to fake the fingerprints use to mark the attendance of colleagues. She and the other doctors are employees of Samu Service (Emergency Medical Care) for Ferraz de Vasconcelos, in Greater São Paulo.

According to police, Thauane Nunes Ferreira, 28, registered the attendance of 11 doctors and 20 nurses. She told police she practiced the irregularity because she was coerced by her boss.

Six Samu Service (Emergency Medical Care) doctors in Ferraz de Vasconcelos, Greater São Paulo, paid R$ 4,800 [ed. $2,450 US] to the coordinator of the service in the city, Jorge Luiz Cury, in order to avoid working four 24-hours shifts per month for which they were paid, City Hall says. Police are investigating the case. The city pulled the servers allegedly involved in the fraud.

The day before yesterday [ed. see above], when the scheme was discovered, doctor Thauane Nunes Ferreira, 28, was arrested in the act of using mock fingers with silicone fingerprints to mark the attendance of six colleagues.

Where they have been adopted, biometrics have made ghostbusting easier. In this case, with time-and-attendance biometrics deployed someone had to create and use 31 rubber fingers (pictured at both links above). That draws attention. Without biometrics, scaling up the time-and-attendance fraud while decreasing the risk of detection would have been much easier. If this allegedly corrupt boss was willing to go up to at least 31 rubber fingers, how many paper employees would he have tried?

According to Wikipedia, Ferraz de Vasconcelos, where the fraud took place, is second-poorest of Greater São Paulo's 39 municipalities. Congratulations to all involved for stopping this instance of the corrupt stealing resources meant to provide health care to people far less fortunate than the doctors and administrators involved.

UPDATE:
[Via] Drudge and the BBC are now on the story. If you didn't want to wade through the Portuguese pieces linked above, you may be interested in these.

UPDATE II:
Upon closer examination of the the photos of the fake fingers used, another thought comes to mind. It certainly appears as though the fake fingers were created with the participation of their owners, making them evidence for the prosecution that they were complicit in the fraud. As it is, the fake fingers used in the fraud come from a variety of live finger models. In the two examples pictured below, the one on the left appears to belong to a male and the one on the right appears to belong to a female. If the counterfeiter wasn't working from live models, there would be no reason to add a fingernail to the back of the fake finger.

Had the doctors' prints been somehow lifted via subterfuge and placed onto a silicone finger without their knowledge, we might expect all of the fake fingers to look very similar as the finger counterfeiter might have used his own finger as a model and simply placed the doctors' prints on it. Alternatively, as with The Old Gummi Bear Trick, the item bearing the fingerprints needn't look much like a finger at all.

Without biometrics (and with a more careful set of individuals), it might have been very difficult to prove that the doctors involved weren't just victims of identity theft by a corrupt official. With the evidence on hand (!) it should be a simple matter to determine if the fake fingers match those of the ghost doctors.

A larger question is whether this story argues for or against the adoption of biometric systems for time-and-attendance. Nobody should claim that biometrics or any other security or ID management measure is perfect and infallible. Nothing is infallible. In this case, however, it appears that having a biometric rather than a paper-based time-and-attendance system increased the costs and complexity of committing the fraud. It made executing its daily function (clocking in) more difficult to do without being noticed. And (at least in this case) it forced those complicit in the scheme to create pretty significant evidence of their involvement.

As a manager or law enforcement official, which case would you rather prosecute: one with rubber fingers or one with only a paper trail?

Note: This post has undergone a few revisions for the purposes of updating the post, correcting typographical or grammatical errors and to add clarity.

BI Commissioner Ricardo David Jr said the programme will enhance the country’s border security and boost the agency’s capability to thwart the entry of foreign terrorists and other illegal aliens.

The new scheme involves the use of an ink-less device and digital camera in capturing the fingerprints and photographs of the foreign visitors.

Doing something like this is easier for some countries than others. The Philippines has some advantages and challenges. Advantages include the lack of land borders with other countries. Since it's an archipelago, they can be pretty sure that no one is walking or driving there, so except for clandestine boat or plane landings, covering the sea- and airports takes care of it. But there are a surprising (to me) number of those, so the integration challenges are real.

Also relevant to integrating the entry and exit points is the percentage of international travelers who enter a country through one international travel node and depart the country from another.

The more nodes, the more travelers, the more complex the travel patterns of international visitors, all of these things place additional pressures on any sort of entry/exit system and these complexities don't necessarily increase as a linear function.

Of course all of this has bearing on the United States which has every challenge there is. It's not surprising that, biometrics or no biometrics, the US lacks a comprehensive integrated entry/exit system. A couple of good pilot projects might go a long way towards getting an idea of the exact scope of some of the challenges, though.

Monday, March 11, 2013

The consensus view seems to be that Kenya really dropped the ball on integrating biometrics into its voter ID process. The few following examples should provide sufficient illustration, especially the item from the Turkish Weekly where a member of the Independent Electoral and Boundaries Commission acknowledges the failure of the biometric system.

It became clear last summer that little would be allowed to stand in the way of spending large sums of money: not laws governing the timing of voter registration and elections; not stated procurement processes; not offers of free equipment; and not the technical and organizational inability to execute on election day.

The bad news is it looks like that ordinary Kenyans, who deserve better, didn't get much for the money borrowed from Canada. Inevitably, some will use the occasion to discredit biometric voter ID in elections in general. That would be unfortunate, too.

The good news is that, at least so far, there has been no replay of the violence that took place following the last Kenyan national elections in 2007. We hope that continues to be true.

Friday, March 8, 2013

After kicking off facial recognition technology, the Department of Motor Vehicle says the state was arresting people by the thousands for possible identity fraud. They were even a bit surprised at the number of people trying to cheat the system.

"We've arrested 2,500. We've taken 5,000 to administrative hearings," said Owen McShane from the DMV.

Read the whole thing for an education about how lax issuance of legitimate ID documents enables crime.

Thursday, March 7, 2013

“The old method of registering voters did not have the inbuilt mechanism for accurate capturing of fingerprints which will assist in detecting multiple registrations and, therefore, there were instances where some unscrupulous individuals registered more than once.

“Biometric technology will make the detection and hence removal of multiple registration from the system resulting in the production of a more accurate and reliable register for all elections,” says the statement.

This means that the upcoming registration exercise will have an entirely new voters’ register that will replace the existing one and all voters identity cards.

In addition to capturing fingerprints, a voter’s photograph will also be taken on the spot. The photograph will be printed on the new securer voter identity card that will be issued to the voter at the point of registration as well as in the voters register.

The government has taken various steps such as increasing number of registrars from 90 to over 100 for speedy Aadhaar generation, uploading resident data packets within 20 days of enrolement, and engaging multiple printers to print Aadhaar letters, the Minister said.

But, there are some problems during enrolment, he said.

"Availability of proper infrastructure such as access to villages, public buildings for enrolment electricity, availability of verifiers appointed by the registrars, are some of the problems being faced during Aadhaar enrolment."

Friday, March 1, 2013

Though biometrics get quite a lot of attention from people interested in privacy, the real action is in the internet browser and online services. Just remember — If you are not paying for it, you're not the customer; you're the product being sold*.

The Microsoft "Scroogled" ad campaign against Google is interesting because it indicates that the high-level marketing types at Microsoft believe the public is open to the message that some web services are taking too much information from users compared to the value the users receive in "free" services. Whether respect for privacy is a competitive differentiator among web services remains to be seen, but the fact that Microsoft has spent real time and money on the assumption that it is should not go unnoticed.

The bulk of the article linked above is devoted to privacy standards, privacy policy and corporate management. While that's not nearly as eye-catching as a slug fest between Information Age titans, it is a much more substantial issue and one worth of serious attention.

Welcome to the SecurLinx Blog

Here we draw attention to items of interest in the biometrics and identity-management landscape.

SecurLinx offers patented solutions that store, process and share biometric template information specific to the challenges of law enforcement, gaming and the security industry.

We see ourselves as building the bridge between Biometric Service Providers (BSP's) that create new technology and the end users that have a problem in search of a solution and who could not care less about the technology itself.

Contributors

SecurLinx Links

If you have a concern about any posting or comment being factually incorrect, please contact us. Please provide detailsof who you are, how we can contact you, what your interest is, and what your concern is. If something has been writtenthat is factually incorrect, it will be addressed. Anonymous complaints will be ignored.